It's a documented format, but it's not open in the sense of being standardized or controlled by an industry group. On the other hand the same can be said of PDF, and nobody seems to mind about that.
It doesn't break the web, but it circumvents what is IMHO the biggest step forward in computer interfaces since the mouse: the back button. If computers had a back/undo/cancel/"just get me out of here and back to a screen I recognise" button that worked everywhere, inexperienced users wouldn't be half as scared, they would play around more, and they'd quickly become more experienced.
Probably because if you open the window in a new tab it's a child of the main window, while the exploit is looking for a top-level window. BUT THAT DOESN'T MEAN YOU'RE SAFE! A better-written version of the exploit could search all open windows and their children until it found a window or tab with the right name.
As far as I can tell, the problem is that Javascript assumes that if you know the name of a popup window, it's because you own it. Maybe the problem could be solved by preventing any script from modifying a page from a different domain than the page running the script? But I'm not sure if that would break sites that load external scripts - Yahoo Mail, for example, loads its scripts from a different domain (yimg.com) than the main page. I guess it would still work if you based it on the origin of the main page rather than the origin of the script, but would that break any other sites?
The attack works in Mozilla 1.7.3 on WinXP with popups disabled. Do you have the tab browsing extension installed? From what I've been reading here it seems to prevent the attack.
Yes, the bug is in Javascript rather than the browser, but that doesn't mean specific Javascript implementations can't be fixed. You could, for example, only allow scripts to modify windows originating from the same domain as the window running the script. Actually I thought this was already the case, but I guess there's a loophole where popup windows are concerned.
BTW Javascript has nothing to do with Java except the name.
I don't know about OpenOffice.org, but Gnome uses the gettext library. You wrap every string literal with a gettext macro call, and translations can then be loaded at runtime based on the locale, without recompiling the program. The macros are very unobtrusive - _("hello") rather than "hello" - but you have to be careful about things like printf (_("%d item"), num);
if (num == 1) printf (_("\n"));
else printf (_("s\n"));
because plurals are handled differently in different languages.
Real terrorist use fear(terror) as a tool to push their agenda.
Whoah, careful there. That definition would make an awful lot of US and UK politicians into terrorists. Please consider using a more precise definition: "real terrorists use fear (terror) as a tool to push their agenda and don't work for governments, government contractors, flag manufacturers or media companies".
Most of the problems with anonymity don't apply to pseudonymity - if email addresses and Slashdot logins were based on public keys, you could avoid spam and browse at +2 just as well as you can now, without anyone having a clue as to your real identity. Digital identities are useful, but I don't believe that's an argument for digital tracking of real-world identities.
Unfortunately, the level and detail of planning documents needed to manage the new cyber mission within DHS was not forthcoming. Budget paperwork throughout the fiscal year was vague. It is still unknown whether spending plans and detailed budget execution data exists.
...
Once in place, the Director, a well-respected cybersecurity expert with experience in both the private and government sectors, left the Department after only a year and has not been permanently replaced as of this writing.
Ouch. Sounds like a runaway gravy train with no driver at the wheel.
Thanks, help would be great - hope you read replies to your anonymous posts. I'm definitely planning on implementing something but I haven't put much online because the design's in flux at the moment. I'm hoping to build a general-purpose anonymous datagram network, but because of the need to exchange public keys with someone before you can communicate, it will probably be best suited to IM and file sharing between friends.
It's not centralization that prevents you from having to search through 30,000 random files, it's the ability to link to a particular file in a verifiable way. Merkle hash trees can achieve the same thing in any filesharing network. In a hash tree the file is broken up into equal-sized chunks. The chunks form the bottom layer of the tree. Each chunk is hashed, and the concatenated hashes form the next layer of the tree. Repeat until there's only one hash, and that's your filename. You can request branches of the tree in parallel from different peers, and every chunk can be verified as soon as it's downloaded.
BitTorrent trackers just give you a way of finding peers who are downloading the same file - they are *not* necessary for data verification. A P2P search network like CRL would allow you to find peers that are interested in the same (verifiable) filename in a completely decentralized way. You could then use BitTorrent's parallel, incentive-based download mechanism to retrieve the file.
Gnutella is pretty easy to DoS, just launch as many queries as your connection can sustain, all with max TTL. Gnutella2 might be even easier because you can focus on superpeers. Not that they're bad filesharing systems, but whoever is DoSing BitTorrent could probably DoS Gnutella just as easily.
There's also GNUnet, which is similar to Freenet but with files broken up into equal-sized chunks to allow parallel downloads. All these systems are fine for avoiding an adversary like the RIAA that has limited powers and only wants to collect a few IP addresses for lawsuits, but they shouldn't be considered anonymous or censorship-resistant in any strong sense. Freenet, MUTE and JetiAnts can be DOSed pretty easily and GNUnet's anonymity can be undermined. I'm researching censorship-resistant communication for my PhD so I've got a literature review and bibliography online if you're interested.
True, but fingerprints either match or don't match - there's a big difference between "is X in the database?" and "sort the database by similarity with X", because the latter always casts suspicion on someone who's already in the database.
Most of Turkey is in Asia, but Istanbul is in Europe and has strong historical ties to Europe - it became the capital of the Roman empire after the fall of Rome. I'm opposed to Turkish membership of the EU, but I have to admit that Turkey, like Russia, is neither entirely Asian nor entirely European, so there's an argument for considering it part of Europe.
the computer uses an algorithm to compare the data of this face to thousands of others on a database of offenders - people who have ever been arrested or charged. Within seconds it lists the matches in order of relevance, just like a web search engine.
Am I the only one who's worried by the implicit assumption that all crimes are committed by people who've previously been arrested or charged? This technology sounds ideal if you're a policeman looking for a plausible "usual suspect" to blame for an unsolved crime. If, on the other hand, you're trying to find out which member of the general population actually committed the crime, there's a risk of being led down the garden path by this technology.
Not just the purpose of the constellation - the purpose of the announcement is to send the message to the Chinese people that "we can see what you're doing, anywhere, any time". If people believe that, the government doesn't even need satellites...
Slashdot Mirror
It's a documented format, but it's not open in the sense of being standardized or controlled by an industry group. On the other hand the same can be said of PDF, and nobody seems to mind about that.
It doesn't break the web, but it circumvents what is IMHO the biggest step forward in computer interfaces since the mouse: the back button. If computers had a back/undo/cancel/"just get me out of here and back to a screen I recognise" button that worked everywhere, inexperienced users wouldn't be half as scared, they would play around more, and they'd quickly become more experienced.
Probably because if you open the window in a new tab it's a child of the main window, while the exploit is looking for a top-level window. BUT THAT DOESN'T MEAN YOU'RE SAFE! A better-written version of the exploit could search all open windows and their children until it found a window or tab with the right name.
As far as I can tell, the problem is that Javascript assumes that if you know the name of a popup window, it's because you own it. Maybe the problem could be solved by preventing any script from modifying a page from a different domain than the page running the script? But I'm not sure if that would break sites that load external scripts - Yahoo Mail, for example, loads its scripts from a different domain (yimg.com) than the main page. I guess it would still work if you based it on the origin of the main page rather than the origin of the script, but would that break any other sites?
The attack works in Mozilla 1.7.3 on WinXP with popups disabled. Do you have the tab browsing extension installed? From what I've been reading here it seems to prevent the attack.
BTW Javascript has nothing to do with Java except the name.
A malware writer and a lawyer are drowning in a lake. You only have one rope - who do you throw the anchor to?
Hapana, sisemi kiswahili. ;-)
I don't know about OpenOffice.org, but Gnome uses the gettext library. You wrap every string literal with a gettext macro call, and translations can then be loaded at runtime based on the locale, without recompiling the program. The macros are very unobtrusive - _("hello") rather than "hello" - but you have to be careful about things like
printf (_("%d item"), num);
if (num == 1) printf (_("\n"));
else printf (_("s\n"));
because plurals are handled differently in different languages.
Whoah, careful there. That definition would make an awful lot of US and UK politicians into terrorists. Please consider using a more precise definition: "real terrorists use fear (terror) as a tool to push their agenda and don't work for governments, government contractors, flag manufacturers or media companies".
Most of the problems with anonymity don't apply to pseudonymity - if email addresses and Slashdot logins were based on public keys, you could avoid spam and browse at +2 just as well as you can now, without anyone having a clue as to your real identity. Digital identities are useful, but I don't believe that's an argument for digital tracking of real-world identities.
Content filtering would mean no more SSL/SSH - I hope they're not ready to go that far yet.
Unfortunately, the level and detail of planning documents needed to manage the new cyber mission within DHS was not forthcoming. Budget paperwork throughout the fiscal year was vague. It is still unknown whether spending plans and detailed budget execution data exists.
Once in place, the Director, a well-respected cybersecurity expert with experience in both the private and government sectors, left the Department after only a year and has not been permanently replaced as of this writing.
Ouch. Sounds like a runaway gravy train with no driver at the wheel.
Thanks, help would be great - hope you read replies to your anonymous posts. I'm definitely planning on implementing something but I haven't put much online because the design's in flux at the moment. I'm hoping to build a general-purpose anonymous datagram network, but because of the need to exchange public keys with someone before you can communicate, it will probably be best suited to IM and file sharing between friends.
BitTorrent trackers just give you a way of finding peers who are downloading the same file - they are *not* necessary for data verification. A P2P search network like CRL would allow you to find peers that are interested in the same (verifiable) filename in a completely decentralized way. You could then use BitTorrent's parallel, incentive-based download mechanism to retrieve the file.
Gnutella is pretty easy to DoS, just launch as many queries as your connection can sustain, all with max TTL. Gnutella2 might be even easier because you can focus on superpeers. Not that they're bad filesharing systems, but whoever is DoSing BitTorrent could probably DoS Gnutella just as easily.
There's also GNUnet, which is similar to Freenet but with files broken up into equal-sized chunks to allow parallel downloads. All these systems are fine for avoiding an adversary like the RIAA that has limited powers and only wants to collect a few IP addresses for lawsuits, but they shouldn't be considered anonymous or censorship-resistant in any strong sense. Freenet, MUTE and JetiAnts can be DOSed pretty easily and GNUnet's anonymity can be undermined. I'm researching censorship-resistant communication for my PhD so I've got a literature review and bibliography online if you're interested.
Pass the bottle.
True, but fingerprints either match or don't match - there's a big difference between "is X in the database?" and "sort the database by similarity with X", because the latter always casts suspicion on someone who's already in the database.
Most of Turkey is in Asia, but Istanbul is in Europe and has strong historical ties to Europe - it became the capital of the Roman empire after the fall of Rome. I'm opposed to Turkish membership of the EU, but I have to admit that Turkey, like Russia, is neither entirely Asian nor entirely European, so there's an argument for considering it part of Europe.
CCTV cameras are often arranged so that each camera is in view of another camera. Anyone disabling one camera will be caught on another.
Am I the only one who's worried by the implicit assumption that all crimes are committed by people who've previously been arrested or charged? This technology sounds ideal if you're a policeman looking for a plausible "usual suspect" to blame for an unsolved crime. If, on the other hand, you're trying to find out which member of the general population actually committed the crime, there's a risk of being led down the garden path by this technology.
Well, no-one except Bert from Sesame Street.
An ID database in which you can generate a new identity by shaving is not a very useful ID database.
Not just the purpose of the constellation - the purpose of the announcement is to send the message to the Chinese people that "we can see what you're doing, anywhere, any time". If people believe that, the government doesn't even need satellites...